2011-07-20 22:04:18 +04:00
/*
2014-03-17 13:38:38 +04:00
* Copyright ( C ) 2011 - 2014 Red Hat , Inc .
2011-07-20 22:04:18 +04:00
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation ; either
* version 2.1 of the License , or ( at your option ) any later version .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* Lesser General Public License for more details .
*
* You should have received a copy of the GNU Lesser General Public
2012-09-21 02:30:55 +04:00
* License along with this library . If not , see
2012-07-21 14:06:23 +04:00
* < http : //www.gnu.org/licenses/>.
2011-07-20 22:04:18 +04:00
*
* Author : Daniel P . Berrange < berrange @ redhat . com >
*/
# include <config.h>
# include <stdlib.h>
# include <fcntl.h>
# include <sys/socket.h>
# include "testutils.h"
2013-08-05 19:49:24 +04:00
# include "virnettlshelpers.h"
2012-12-13 21:44:57 +04:00
# include "virutil.h"
2012-12-13 22:21:53 +04:00
# include "virerror.h"
2012-12-12 22:06:53 +04:00
# include "viralloc.h"
2012-12-12 21:59:27 +04:00
# include "virlog.h"
2011-07-20 22:04:18 +04:00
# include "virfile.h"
2012-12-12 20:27:01 +04:00
# include "vircommand.h"
Split src/util/network.{c,h} into 5 pieces
The src/util/network.c file is a dumping ground for many different
APIs. Split it up into 5 pieces, along functional lines
- src/util/virnetdevbandwidth.c: virNetDevBandwidth type & helper APIs
- src/util/virnetdevvportprofile.c: virNetDevVPortProfile type & helper APIs
- src/util/virsocketaddr.c: virSocketAddr and APIs
- src/conf/netdev_bandwidth_conf.c: XML parsing / formatting
for virNetDevBandwidth
- src/conf/netdev_vport_profile_conf.c: XML parsing / formatting
for virNetDevVPortProfile
* src/util/network.c, src/util/network.h: Split into 5 pieces
* src/conf/netdev_bandwidth_conf.c, src/conf/netdev_bandwidth_conf.h,
src/conf/netdev_vport_profile_conf.c, src/conf/netdev_vport_profile_conf.h,
src/util/virnetdevbandwidth.c, src/util/virnetdevbandwidth.h,
src/util/virnetdevvportprofile.c, src/util/virnetdevvportprofile.h,
src/util/virsocketaddr.c, src/util/virsocketaddr.h: New pieces
* daemon/libvirtd.h, daemon/remote.c, src/conf/domain_conf.c,
src/conf/domain_conf.h, src/conf/network_conf.c,
src/conf/network_conf.h, src/conf/nwfilter_conf.h,
src/esx/esx_util.h, src/network/bridge_driver.c,
src/qemu/qemu_conf.c, src/rpc/virnetsocket.c,
src/rpc/virnetsocket.h, src/util/dnsmasq.h, src/util/interface.h,
src/util/iptables.h, src/util/macvtap.c, src/util/macvtap.h,
src/util/virnetdev.h, src/util/virnetdevtap.c,
tools/virsh.c: Update include files
2011-11-02 19:40:08 +04:00
# include "virsocketaddr.h"
2011-07-20 22:04:18 +04:00
2012-01-30 21:44:13 +04:00
# if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
2011-07-20 22:04:18 +04:00
# include "rpc / virnettlscontext.h"
# define VIR_FROM_THIS VIR_FROM_RPC
2014-02-28 16:16:17 +04:00
VIR_LOG_INIT ( " tests.nettlscontexttest " ) ;
2013-08-09 02:08:25 +04:00
# define KEYFILE "key-ctx.pem"
2011-07-20 22:04:18 +04:00
struct testTLSContextData {
bool isServer ;
2013-08-06 14:35:49 +04:00
const char * cacrt ;
const char * crt ;
2011-07-20 22:04:18 +04:00
bool expectFail ;
} ;
/*
* This tests sanity checking of our own certificates
*
* This code is done when libvirtd starts up , or before
* a libvirt client connects . The test is ensuring that
* the creation of virNetTLSContextPtr fails if we
2012-10-11 20:31:20 +04:00
* give bogus certs , or succeeds for good certs
2011-07-20 22:04:18 +04:00
*/
static int testTLSContextInit ( const void * opaque )
{
struct testTLSContextData * data = ( struct testTLSContextData * ) opaque ;
virNetTLSContextPtr ctxt = NULL ;
int ret = - 1 ;
if ( data - > isServer ) {
2013-08-06 14:35:49 +04:00
ctxt = virNetTLSContextNewServer ( data - > cacrt ,
2011-07-20 22:04:18 +04:00
NULL ,
2013-08-06 14:35:49 +04:00
data - > crt ,
2013-08-09 02:08:25 +04:00
KEYFILE ,
2011-07-20 22:04:18 +04:00
NULL ,
2016-06-03 19:44:55 +03:00
NULL ,
2011-07-20 22:04:18 +04:00
true ,
true ) ;
} else {
2013-08-06 14:35:49 +04:00
ctxt = virNetTLSContextNewClient ( data - > cacrt ,
2011-07-20 22:04:18 +04:00
NULL ,
2013-08-06 14:35:49 +04:00
data - > crt ,
2013-08-09 02:08:25 +04:00
KEYFILE ,
2016-06-03 19:44:55 +03:00
NULL ,
2011-07-20 22:04:18 +04:00
true ,
true ) ;
}
if ( ctxt ) {
if ( data - > expectFail ) {
VIR_WARN ( " Expected failure %s against %s " ,
2013-08-06 14:35:49 +04:00
data - > cacrt , data - > crt ) ;
2011-07-20 22:04:18 +04:00
goto cleanup ;
}
} else {
if ( ! data - > expectFail ) {
VIR_WARN ( " Unexpected failure %s against %s " ,
2013-08-06 14:35:49 +04:00
data - > cacrt , data - > crt ) ;
2011-07-20 22:04:18 +04:00
goto cleanup ;
}
2016-03-18 23:58:02 +03:00
VIR_DEBUG ( " Got error %s " , virGetLastErrorMessage ( ) ) ;
2011-07-20 22:04:18 +04:00
}
ret = 0 ;
2014-03-25 10:53:44 +04:00
cleanup :
2012-07-11 17:35:48 +04:00
virObjectUnref ( ctxt ) ;
2011-07-20 22:04:18 +04:00
return ret ;
}
static int
mymain ( void )
{
int ret = 0 ;
2014-09-04 13:23:16 +04:00
setenv ( " GNUTLS_FORCE_FIPS_MODE " , " 2 " , 1 ) ;
2013-08-09 02:08:25 +04:00
testTLSInit ( KEYFILE ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
2011-07-20 22:04:18 +04:00
do { \
test: fix build errors with gcc 4.7.0 and -O0
When building on Fedora 17 (which uses gcc 4.7.0) with -O0 in CFLAGS,
three of the tests failed to compile.
cputest.c and qemuxml2argvtest.c had non-static structs defined
inside the macro that was being repeatedly invoked. Due to some so-far
unidentified change in gcc, the stack space used by variables defined
inside { } is not recovered/re-used when the block ends, so all these
structs have become additive (this is the same problem worked around
in commit cf57d345b). Fortunately, these two files could be fixed with
a single line addition of "static" to the struct definition in the
macro.
virnettlscontexttest.c was a bit different, though. The problem structs
in the do/while loop of macros had non-constant initializers, so it
took a bit more work and piecemeal initialization instead of member
initialization to get things to be happy.
In an ideal world, none of these changes should be necessary, but not
knowing how long it will be until the gcc regressions are fixed, and
since the code is just as correct after this patch as before, it makes
sense to fix libvirt's build for -O0 while also reporting the gcc
problem.
2012-04-06 00:31:36 +04:00
static struct testTLSContextData data ; \
data . isServer = _isServer ; \
2013-08-06 14:35:49 +04:00
data . cacrt = _caCrt ; \
data . crt = _crt ; \
test: fix build errors with gcc 4.7.0 and -O0
When building on Fedora 17 (which uses gcc 4.7.0) with -O0 in CFLAGS,
three of the tests failed to compile.
cputest.c and qemuxml2argvtest.c had non-static structs defined
inside the macro that was being repeatedly invoked. Due to some so-far
unidentified change in gcc, the stack space used by variables defined
inside { } is not recovered/re-used when the block ends, so all these
structs have become additive (this is the same problem worked around
in commit cf57d345b). Fortunately, these two files could be fixed with
a single line addition of "static" to the struct definition in the
macro.
virnettlscontexttest.c was a bit different, though. The problem structs
in the do/while loop of macros had non-constant initializers, so it
took a bit more work and piecemeal initialization instead of member
initialization to get things to be happy.
In an ideal world, none of these changes should be necessary, but not
knowing how long it will be until the gcc regressions are fixed, and
since the code is just as correct after this patch as before, it makes
sense to fix libvirt's build for -O0 while also reporting the gcc
problem.
2012-04-06 00:31:36 +04:00
data . expectFail = _expectFail ; \
2016-05-26 18:01:50 +03:00
if ( virTestRun ( " TLS Context " # _caCrt " + " # _crt , \
testTLSContextInit , & data ) < 0 ) \
2011-07-20 22:04:18 +04:00
ret = - 1 ; \
} while ( 0 )
2013-08-05 20:08:17 +04:00
# define TLS_CERT_REQ(varname, cavarname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
2013-08-06 14:35:49 +04:00
NULL , # varname " -ctx.pem " , \
2013-08-05 20:08:17 +04:00
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
testTLSGenerateCert ( & varname , cavarname . crt )
# define TLS_ROOT_REQ(varname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
2013-08-06 14:35:49 +04:00
NULL , # varname " -ctx.pem " , \
2013-08-05 20:08:17 +04:00
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
testTLSGenerateCert ( & varname , NULL )
2011-07-20 22:04:18 +04:00
/* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertreq ,
" UK " , " libvirt CA " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertreq , cacertreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertreq , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercertreq . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertreq . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Some other CAs which are good */
/* Basic:CA:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert1req ,
" UK " , " libvirt CA 1 " , NULL , NULL , NULL , NULL ,
true , true , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert1req , cacert1req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* Basic:CA:not-critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert2req ,
" UK " , " libvirt CA 2 " , NULL , NULL , NULL , NULL ,
true , false , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert2req , cacert2req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-05 19:49:24 +04:00
/* Key usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert3req ,
" UK " , " libvirt CA 3 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert3req , cacert3req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacert1req . filename , servercert1req . filename , false ) ;
DO_CTX_TEST ( true , cacert2req . filename , servercert2req . filename , false ) ;
DO_CTX_TEST ( true , cacert3req . filename , servercert3req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Now some bad certs */
2013-03-04 21:27:38 +04:00
/* Key usage:dig-sig:not-critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert4req ,
" UK " , " libvirt CA 4 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , false , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert4req , cacert4req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* no-basic */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert5req ,
" UK " , " libvirt CA 5 " , NULL , NULL , NULL , NULL ,
false , false , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert5req , cacert5req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* Key usage:dig-sig:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert6req ,
" UK " , " libvirt CA 6 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert6req , cacert6req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-03-04 21:27:38 +04:00
/* Technically a CA cert with basic constraints
* key purpose = = key signing + non - critical should
2013-12-23 12:01:42 +04:00
* be rejected . GNUTLS < 3.1 does not reject it and
2013-03-04 21:27:38 +04:00
* we don ' t anticipate them changing this behaviour
*/
2013-12-23 12:01:42 +04:00
DO_CTX_TEST ( true , cacert4req . filename , servercert4req . filename ,
( GNUTLS_VERSION_MAJOR = = 3 & & GNUTLS_VERSION_MINOR > = 1 ) | |
GNUTLS_VERSION_MAJOR > 3 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacert5req . filename , servercert5req . filename , true ) ;
DO_CTX_TEST ( true , cacert6req . filename , servercert6req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Various good servers */
/* no usage or purpose */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:server:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:server:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert11req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+server:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert12req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+server:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert13req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercert7req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert8req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert9req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert10req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert11req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert12req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert13req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Bad servers */
/* usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert14req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert15req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage: none:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert16req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercert14req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert15req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert16req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Various good clients */
/* no usage or purpose */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert2req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert3req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert4req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert5req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert6req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+client:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert1req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert2req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert3req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert4req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert5req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert6req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert7req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Bad clients */
/* usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage: none:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert8req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert9req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert10req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Expired stuff */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertexpreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( servercertexpreq , cacertexpreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( clientcertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , - 1 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertexpreq . filename , servercertexpreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertexp1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertexp1req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Not activated stuff */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( servercertnewreq , cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( clientcertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
1 , 2 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertnewreq . filename , servercertnewreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertnew1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertnew1req . filename , true ) ;
2013-08-05 20:08:17 +04:00
2013-08-06 15:31:20 +04:00
TLS_ROOT_REQ ( cacertrootreq ,
" UK " , " libvirt root " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1areq , cacertrootreq ,
" UK " , " libvirt level 1a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1breq , cacertrootreq ,
" UK " , " libvirt level 1b " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel2areq , cacertlevel1areq ,
" UK " , " libvirt level 2a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertlevel3areq , cacertlevel2areq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertlevel2breq , cacertlevel1breq ,
" UK " , " libvirt client level 2b " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
gnutls_x509_crt_t certchain [ ] = {
cacertrootreq . crt ,
cacertlevel1areq . crt ,
cacertlevel1breq . crt ,
cacertlevel2areq . crt ,
} ;
2013-08-09 11:53:30 +04:00
testTLSWriteCertChain ( " cacertchain-ctx.pem " ,
2013-08-06 15:31:20 +04:00
certchain ,
ARRAY_CARDINALITY ( certchain ) ) ;
2013-08-09 11:53:30 +04:00
DO_CTX_TEST ( true , " cacertchain-ctx.pem " , servercertlevel3areq . filename , false ) ;
DO_CTX_TEST ( false , " cacertchain-ctx.pem " , clientcertlevel2breq . filename , false ) ;
2013-08-06 15:31:20 +04:00
2013-08-21 15:48:58 +04:00
DO_CTX_TEST ( false , " cacertdoesnotexist.pem " , " servercertdoesnotexist.pem " , true ) ;
2013-08-05 20:08:17 +04:00
testTLSDiscardCert ( & cacertreq ) ;
testTLSDiscardCert ( & cacert1req ) ;
testTLSDiscardCert ( & cacert2req ) ;
testTLSDiscardCert ( & cacert3req ) ;
testTLSDiscardCert ( & cacert4req ) ;
testTLSDiscardCert ( & cacert5req ) ;
testTLSDiscardCert ( & cacert6req ) ;
testTLSDiscardCert ( & servercertreq ) ;
testTLSDiscardCert ( & servercert1req ) ;
testTLSDiscardCert ( & servercert2req ) ;
testTLSDiscardCert ( & servercert3req ) ;
testTLSDiscardCert ( & servercert4req ) ;
testTLSDiscardCert ( & servercert5req ) ;
testTLSDiscardCert ( & servercert6req ) ;
testTLSDiscardCert ( & servercert7req ) ;
testTLSDiscardCert ( & servercert8req ) ;
testTLSDiscardCert ( & servercert9req ) ;
testTLSDiscardCert ( & servercert10req ) ;
testTLSDiscardCert ( & servercert11req ) ;
testTLSDiscardCert ( & servercert12req ) ;
testTLSDiscardCert ( & servercert13req ) ;
testTLSDiscardCert ( & servercert14req ) ;
testTLSDiscardCert ( & servercert15req ) ;
testTLSDiscardCert ( & servercert16req ) ;
testTLSDiscardCert ( & clientcertreq ) ;
testTLSDiscardCert ( & clientcert1req ) ;
testTLSDiscardCert ( & clientcert2req ) ;
testTLSDiscardCert ( & clientcert3req ) ;
testTLSDiscardCert ( & clientcert4req ) ;
testTLSDiscardCert ( & clientcert5req ) ;
testTLSDiscardCert ( & clientcert6req ) ;
testTLSDiscardCert ( & clientcert7req ) ;
testTLSDiscardCert ( & clientcert8req ) ;
testTLSDiscardCert ( & clientcert9req ) ;
testTLSDiscardCert ( & clientcert10req ) ;
testTLSDiscardCert ( & cacertexpreq ) ;
testTLSDiscardCert ( & servercertexpreq ) ;
testTLSDiscardCert ( & servercertexp1req ) ;
testTLSDiscardCert ( & clientcertexp1req ) ;
testTLSDiscardCert ( & cacertnewreq ) ;
testTLSDiscardCert ( & servercertnewreq ) ;
testTLSDiscardCert ( & servercertnew1req ) ;
testTLSDiscardCert ( & clientcertnew1req ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 15:31:20 +04:00
testTLSDiscardCert ( & cacertrootreq ) ;
testTLSDiscardCert ( & cacertlevel1areq ) ;
testTLSDiscardCert ( & cacertlevel1breq ) ;
testTLSDiscardCert ( & cacertlevel2areq ) ;
testTLSDiscardCert ( & servercertlevel3areq ) ;
testTLSDiscardCert ( & clientcertlevel2breq ) ;
2013-08-09 11:53:30 +04:00
unlink ( " cacertchain-ctx.pem " ) ;
2013-08-06 15:31:20 +04:00
2013-08-09 02:08:25 +04:00
testTLSCleanup ( KEYFILE ) ;
2011-07-20 22:04:18 +04:00
2014-03-17 13:38:38 +04:00
return ret = = 0 ? EXIT_SUCCESS : EXIT_FAILURE ;
2011-07-20 22:04:18 +04:00
}
2016-06-16 09:54:27 +03:00
VIRT_TEST_MAIN_PRELOAD ( mymain , abs_builddir " /.libs/virrandommock.so " )
2011-07-22 21:59:37 +04:00
2011-07-20 22:04:18 +04:00
# else
2011-07-28 19:48:12 +04:00
2011-07-22 21:59:37 +04:00
int
2011-07-28 19:48:12 +04:00
main ( void )
2011-07-20 22:04:18 +04:00
{
2011-07-28 19:48:12 +04:00
return EXIT_AM_SKIP ;
2011-07-20 22:04:18 +04:00
}
2011-07-28 19:48:12 +04:00
2011-07-20 22:04:18 +04:00
# endif